ThinkPiece
groups as well as states. They are eas- ily replicated and distributed across networks, rendering impossible the hope of anything that might be called “cyber nonproliferation.”
Cyber weapons are often deployed under a cloak of anonymity, making it difficult to figure out who is really responsible. And cyberattacks can achieve a broad range of effects, most of which are disruptive and costly but not catastrophic.
That does not mean cyber deter- rence is doomed to failure. The sheer scale of cyberattacks demands that we do better to defend against them.
There are three things we can do to strengthen cyber deterrence: improve cybersecurity, employ active defenses and establish international norms for cyberspace. The first two measures will significantly improve our cyber defenses so that even if an attack is not deterred, it will not succeed.
Stepping up protection
Cybersecurity aids deterrence primar- ily through the principle of denial. It stops attacks before they can achieve their goals. That includes beefing up login security, encrypting data and communications, fighting viruses and other malware, and keeping software updated to patch weaknesses when they’re found.
But even more important is devel- oping products that have few if any security vulnerabilities when they are shipped and installed. The Mirai bot- net, capable of generating massive data floods that overload internet serv- ers, takes over devices that have gap- ing security holes, including default passwords hard-coded into firm- ware that users can’t change. While some companies such as Microsoft invest heavily in product security, oth- ers, including many internet-of-things vendors, do not.
Cybersecurity guru Bruce Schnei-
er aptly characterizes the prevalence of unsecure internet-of-things devices as a market failure akin to pollution. Simply put, the market favors cheap unsecure devices over ones that are more costly but secure. His solution is regulation, either by imposing basic security standards on manufacturers or by holding them liable when their products are used in attacks.
Active defenses
When it comes to taking action against attackers, there are many ways to monitor, identify and counter adver- sary cyberattacks. Those active cyber defenses are similar to air defense sys- tems that monitor the sky for hostile aircraft and shoot down incoming mis- siles. Network monitors that watch for and block (“shoot down”) hostile packets are one example, as are hon- eypots that attract or deflect adversary packets into safe areas, where they do not harm the targeted network and can even be studied to reveal attack- ers’ techniques.
Another set of active defenses involves collecting, analyzing and sharing information about potential threats so that network operators can respond to the latest developments. For example, operators could regu- larly scan their systems looking for devices that are vulnerable to or com- promised by the Mirai botnet or other malware. If they found some, they could disconnect the devices from the network and alert the devices’ owners to the danger.
Active cyber defense does more than just deny attackers opportuni- ties. It can often unmask the people behind them, leading to punishment. Nongovernment attackers can be shut down, arrested and prosecuted; coun- tries conducting or supporting cyber- warfare can be sanctioned by the international community.
Currently, however, the private
sector is reluctant to employ many active defenses because of legal uncertainties. The Center for Cyber and Homeland Security at George Washington University recommends several actions that the government and the private sector could take to enable more widespread use of active defenses, including clarifying regulations.
Setting international norms
Finally, international norms for cyber- space can aid deterrence if national governments believe they would be named and shamed within the inter- national community for conducting a cyberattack. The United States brought charges in 2014 against five Chinese military hackers for target- ing American companies. A year later, the U.S. and China agreed to not steal and exploit each other’s corporate secrets for commercial advantage. In the wake of those events, cyber espionage from China plummeted.
Also in 2015, a group of United Nations experts recommended ban- ning cyberattacks against critical infrastructure, including a country’s computer emergency response teams. And later that year, the G20 issued a statement opposing the theft of intellectual property to benefit com- mercial entities. Those norms might deter governments from conducting such attacks.
Cyberspace will never be immune to attack — no more than our streets will be immune to crime. But with stronger cybersecurity, increased use of active cyber defenses and interna- tional norms, we can hope to at least keep a lid on the problem. n
Dorothy Denning is a distinguished professor of defense analysis at the Naval Postgraduate School. This arti- cle was originally published on “The Conversation.”
32 June 2017 FCW.COM